flyctl build-secret cannot be multiline breaking necessary private key format

In order to read private repositories at build time i need to provide a private key to the docker build command.

The docker build works on its own with the following command, to add a secret SSH_PRV_KEY which is an ed25519 private key file
DOCKER_BUILDKIT=1 docker build --secret id=SSH_PRV_KEY,src=id_ed25519

Following Build Secrets · Fly Docs I simply try to provide the secret

flyctl deploy --build-secret SSH_PRV_KEY=$(cat id_ed25519)

But this doesn’t work, the secret in the docker build ends up being only the first line of the private key file. As far as i know, i cannot alter the format of the private key to make it work.

Why is the --build-secret argument having such behaviour and should this be considered a bug?

If you can alter it, base64 the secret without wrapping lines?

And un-base64 it before reading it back.


Fly’s builders don’t use buildkit, btw. But if you need to, I guess you can build the docker image offline (on a AMD/Intel machine), you can later push it to Fly: Push to Fly.io image registry via Docker API - #2 by ignoramous

In case you didn’t know (and if it fits your needs):

  • flyctl deploy --local-only builds a docker image locally (as opposed to on a Fly builder) and deploys it to your app.
  • flyctl deploy --local-only --build-only builds the image locally and pushes it to Fly’s docker registry, which you can later deploy (docs).